Cryptography-Digest Digest #409, Volume #9 Sat, 17 Apr 99 16:13:03 EDT
Contents:
Re: Thought question: why do public ciphers use only simple ops like ("Douglas
A. Gwyn")
Re: Adequacy of FIPS-140 (Kurt Wismer)
New drop in cipher in the spirit of TEA ([EMAIL PROTECTED])
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Bruce Schneier)
Re: which programs ... which algorithms ("John Bailey")
Re: New drop in cipher in the spirit of TEA (David Wagner)
Question on confidence derived from cryptanalysis. (Geoff Thorpe)
Re: Adequacy of FIPS-140 (R. Knauer)
Re: AES Competition (Helger Lipmaa)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Sat, 17 Apr 1999 14:25:52 GMT
Terry Ritter wrote:
> Currently, cryptanalysis seems to be some sort of "one shot" contest
> against the cryptographer, as opposed to an interactive joint process
> to attain a better cipher.
That is a management problem at the developing organization.
> Even so, we still don't know that their guys aren't better, or even
> just luckier. I think it sometimes just takes a particular point of
> view to enable an alternative -- possibly much easier -- attack. And
> it may not be the smartest guy who has that new point of view.
Yes, but if your tiger team is really good and experienced
(another management issue), you can attain a certain degree
of confidence based on their positive evaluation (assuming
they didn't have uneasy feelings about undiscovered weaknesses).
> I guess I would suggest that if the goal was to get the best
> cipher, we would see a post-analysis re-design phase intended
> to fix known problems, with the final comparison being made
> between full-strength designs.
I guess you're talking about AES. If time constraints allow,
that would be one reasonable part of the evaluation procedure,
but you still have to drawn the line somewhere and pick the
best-to-date.
------------------------------
From: [EMAIL PROTECTED] (Kurt Wismer)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 15:42:29 GMT
Douglas A. Gwyn ([EMAIL PROTECTED]) wrote:
: wtshaw wrote:
: > ... In short, we get back to considering the effort and data
: > requirements needed to break a key in given cryptosystems.
: Okay, I grant that that is a reasonable metric; now the question
: is how to *measure* this. The cost of a brute-force key search
: only establishes an upper bound, which is useless to us (unless
: it is so low as to already be below our security threshold).
why can't you take the minimum cost of all the attacks... it doesn't give
you a value that will remain constant inspite of new developments in
cryptanalysis but i don't see how anything could... calculating the cost for
all possible attacks on the algorithm and taking the minimum would at
least be formal and the set could be added to/updated as techniques are
refined or new ones are discovered...
it seems to me any metric is going to have to take all possible attacks
into account since no single one is best for all cryptosystems...
i know i'm stating the obvious here, but since you need to take all that
information into account, and you're looking for the lower bound on the
cost of a succeful attack, i don't see any other obvious alternatives...
--
"when i ran i didn't feel like a runaway
when i escaped i didn't feel like i got away
there's more to living than only surviving
maybe i'm not there but i'm still trying"
------------------------------
From: [EMAIL PROTECTED]
Subject: New drop in cipher in the spirit of TEA
Date: Sat, 17 Apr 1999 16:01:20 GMT
I have been looking at various ciphers (TEA, RC5... etc) and have pieced
together something, which looks ok (makes sense), but I dunno of it's
resistance to known attacks.
It's a really simple cipher, similar to TEA, but with (what I think) a better
key schedule. It has a mandatory key rotation (you would have to see the
source) and a data-depedant binary rotation of the individual key words. The
data dependant rotation is only part of the key schedule strength. I also
believe this will thwart chosen plaintext attacks as the key is rotated with
the plaintext. And the same subkeys are not used for different plaintext
blocks.
I am going to write a mini-paper with documented pseudo-code. If you want to
check out the documented C code (it's rather nice code :) ). Then please
check out
http://members.tripod.com/~tomstdenis/nc.c
I am not making any claims, but I think it looks quite good as a drop in
encryption algorithm. It requires at least 4 rounds to function properly, but
I suggest 16 to 24 rounds. Probably in the 20-24 range. I still have to
examine it in further detail.
If you have any comments, questions or suggestions, please feel free to post
or email me in private.
Thanks for your time,
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sat, 17 Apr 1999 18:18:34 GMT
On Fri, 16 Apr 1999 07:31:40 -0700, Sundial Services
<[EMAIL PROTECTED]> wrote:
>When I look at most publicly-available cryptographic algorithms, I see
>that nearly all of them consist of round upon round of simple operations
>like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are
>readily reversible.
Operations from the RISC subset are efficient on a wide variety of
microprocessors. Look at the AES submissions. Algorithms that
limited themselves to those operations--Serpent, Rijndael,
Twofish--had realtively equivalent performance on 8-bit CPUs, 32-bit
CPUs, smart card, DSPs, etc. Algorithms that used more complicated
operations like data dependent rotations and multiplications--Mars,
RC6, DFC--had widely different performance depending on the particular
characteristics of the CPU it is running on.
For a standard cipher at least, sticking to the RISC subset is just
smart.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "John Bailey" <[EMAIL PROTECTED]>
Subject: Re: which programs ... which algorithms
Date: Sat, 17 Apr 1999 14:53:26 -0400
Phil Howard wrote in message ...
>>I'm interested in finding some tool to access a remote server in a way
that
>is strongly authenticated using algorithms not encumbered by commercial
>copyright or patent issues
Why don't you start with what the big boys use?
1.1 What is Kerberos?
>From <http://web.mit.edu/kerberos/www/>
Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by
using secret-key cryptography. A free implementation of this
protocol is available from the Massachusetts Institute of
Technology. Kerberos is available in many commercial products as
well.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: New drop in cipher in the spirit of TEA
Date: 17 Apr 1999 12:07:49 -0700
You might want to look at it a little more closely.
If I understand the algorithm, I think even a million rounds of
it can be broken with a handful of chosen texts.
(But I'm not sure; you should check the details.)
P.S. This actually seems like it would make a really nice homework
problem for a class in cryptanalysis. I'll have to remember this
one -- I don't think I couldn't have come up with something this
clever if I had tried.
------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Question on confidence derived from cryptanalysis.
Date: Sat, 17 Apr 1999 15:00:25 -0400
Hi there,
I have been following this thread with interest, albeit silently for a
while, and for the most part I have enjoyed the intellectual
horn-locking, especially Terry's unconventional but often insightful
contributions. However, good ideas can quickly get buried in slop, or
just unmasked as reactionary drivel as they seem (IMHO) to in Mr
Ritter's post below ...
Terry Ritter wrote:
> Sure they are. As far as I know, Schneier's point has always been
> that cryptanalysis is the way we know a cipher's strength. I'm sure
> he would agree that this is not proof, but I do not agree that it says
> anything at all. The implication that cryptanalysis would like to
> promote is indeed that of tested strength.
You're contributions in this thread seem to have an emerging theme ...
that continued testing of a cipher by cryptanalysists (presumably using
the "current most widely recognised techniques") does not guarantee some
absolute/quantitative strength of the cipher against any attack (which
I'm sure we would ALL, including Mr Schneier, agree with). However you
also seem to suggest that it gives us no indication of tested strength
at all. And here I disagree with you.
You want to sound a cautionary note that we all risk being naive and
over-confident in our "cryptanalytic testing" of ciphers - excellent
point and it is well taken. However, please do not go so far as to be
similarly naive yourself, and to play things out to an theoretical abyss
and expect us to follow you there.
History does in fact support the claim that bashing away at problems
with the best techniques you can come up with at the time, for a period
of time, DOES give some degree of confidence in "strength" that failing
to do so does. Here strength is a practical measure, not a theoretical
one.
Now no rational person is going to tell you that RSA simply will never
be attacked at a much better complexity than the best current factoring
techniques. Similarly, no rational person should assure you that
attacking DES or triple DES will never improve much beyond brute-force
key-searches. However, I will humbly suggest to you we ARE a lot safer
against those possibilities than similar risks with newer and less
studied techniques - and that history and common sense DO give us the
right to those basic assumptions contrary to the gloomy and highly
unhelpful view you hold.
A quick glance at any of the big mathematical problems in history,
particularly the ones that are simply stated (ie the difficulty is not
composed even partially out of obscurity - it looks more like a brick
wall than a maze) almost always are either not solved even today, or
were solved using techniques much more sophisticated than those
available to those who posed the original question and first tried to
solve it. Indeed the classical problems have typically given rise to
entire branches of mathematics that grew out of a pursuit of that
problem.
Fermat's Theorem is the obvious example but there are others too.
Someone more up to date with things could clarify, but I think they were
trying to refine Andrew Wiles' proof a little to slice a couple of
hundred pages off it ... it simply was not solved using a ruler and
compass and the odd quadratic here and there. And yes, as I'm sure
you're thinking, it IS possible it can be solved with a ruler and
compass and the occasional discriminant. But most people will be happy
to accept that that is a lot LESS likely to happen than if I just pose a
new simply stated differential equation and state it can't be solved in
simple terms only to have someone prove me wrong.
Techniques, understanding, and formalised mathematical frameworks evolve
- occasionally someone does throw something new and useful in and things
accelerate for a while, but sudden breaks solving historical problems
with simple techniques are VERY much the exception not the rule.
Let me ask the following - do you disagree with the following statement;
"History has demonstrated time and time again, that the longer a problem
resists the attack of academics, hobbyists, and mechanics - the
probability the problem can be broken using simple techniques that were
available at the time the problem was posed (or even comprehensible to
the people of that time) decreases."
Occasionally someone invents a wheel, but divine beams of light are a
lot less common than simple grunt-work and craftsmanship. This is also
true of "our opponents" as you have a tendency to call them.
> >Not at least trying cryptanalysis on a cipher is stupid which
> >I'm sure you agree with.
>
> I do. But there is no one cryptanalysis. Indeed, there is no end to
> it. But we do have to make an end before we can field anything. This
> in itself tells us that cryptanalysis as certification is necessarily
> incomplete.
It is all probabilities and risk management. Mr Schneier will hopefully
agree with me on that and I hope you do too (I hope anyone contributing
to the crypto-frameworks I will have to use day-to-day agree with that
also).
Would you have us believe that all things that are not absolute are
necessarily equal? God, this sounds like a debate on socialism all of a
sudden - my humblest apologies [;-)
> Our main problem is that cryptanalysis does NOT say that there is no
> simpler attack. It does NOT say that a well-examined cipher is secure
> from your kid sister. Oh, many people will offer their opinion, but
> you won't see many such a claims in scientific papers, because there
> we expect actual facts, as opposed to wishes, hopes, and dreams.
But those claims say as much as; "we've hopefully done the best we can
with the best techniques we have and the best people we can find, and
this one seemed to resist our best attacks the best so we can only give
you the best assurances we can that the best chance you have is to use
this one".
If you cannot interpret cryptanalytic conclusions in that fashion then
you seem to miss their point. I agree with Mr Schneier ... it is a race
- our opponents (again using your phrase) get to see the best
cryptanalytic techniques we have, and sometimes we get a peek (or a
leak) at theirs ... we just do the best we can with what we've got - and
history has shown that if we keep that up for a while, the chances of an
about-turn due to some radical improvement in the theory decreases
steadily.
> Cryptanalysis does NOT give us an indication of how much effort our
> Opponent will have to spend to break the cipher. Yet that is exactly
> what the cryptanalytic process would like us to believe: That is why
I disagree - your point of view has some merit but is no more valid than
the polar opposite statement. If people devote their lives to keeping up
to date with the literature and do their best to innovate and develop in
full public-view, and their best attempts to break things fail for a
period of time (and I'm talking about the crypto community as a whole
here) then we CAN infer that that process represents a steadily
increasing probability that it's not going to fall over tomorrow in some
dramatic fashion. I do not mean that evolving cryptanalysis work
provides increasing confidence in brand-new ciphers and what-not, rather
that as one cipher builds up a catalogue of evolving cryptanalysis work
against it that we DO have a decreasing probability that THAT cipher
will fall over in show-stopper fashion.
> we have the process of: 1) design a cipher, and 2) certify the
> cipher by cryptanalysis. As I see it, the real opportunity for
> cryptanalysis is as part of a dynamic and interactive cipher design
> process, as opposed to final certification.
And it currently isn't? What exactly does the open publication of
research, countless conferences, news-groups, mail-lists, web-sites,
open-source projects, etc amount to other than a dynamic and interactive
process? Also, thousands of hobbyists and professionals all doing their
damndest to break each others ciphers gives me personally some
confidence in the value of "standing the test of time".
> Thanks. I suggest you learn it by heart if you intend to depend upon
> cryptography.
I suggest that you get a little more realistic. What do you have more
confidence in, "NT.DLL" or an established release version of the linux
kernel? Or IIS versus Apache? (again, speaking about versions which
aren't acknowledged by the authors as being "beta"). And no, that
question is not rhetorical, I'm actually interested to hear your
response.
As for your continued suggestion that confidence in (relative)
conclusions reached by noted cryptanalysts is overrated and work by
lesser mortals unfairly disregarded. In reality I think you are wrong.
(a) If a lesser mortal finds an improvement in cracking DES keys, they
need only publish it to sci.crypt with the header "I think I can hack
DES keys a bit faster ..." and they will get all the attention to their
claims they desire, and if they have the facts to back it up they
needn't worry about anonymity. (b) If someone with a track-record
proposes a new cipher (or in my metaphor, an alteration to kernel.c in
Linux) and someone unknown does the same, it is natural, right, and fair
for me to regard the latter with more scepticism and the former with a
little more of an open mind.
Perhaps this Darwinist philosophy is not to your liking but I'm afraid
it fits the model. If I have a studied knowledge of shooting, am good at
it myself, stay abreast of the most modern trends, and am widely
respected as an expert in the field - then I am probably as good a
person as any to suggest methods for staying out of the firing line.
> This is my bit for public education.
And it has been useful to provide for thoughtful debate - but I think
you overreach to absolute conclusions to counter opposing conclusions
that I don't think anybody is actually making.
> I have no modern products. I do offer cryptographic consulting time,
> and then I call it as I see it. I also own patented cryptographic
> technology which could be useful in a wide range of ciphers.
Great - perhaps if you would benefit us all (if that is your aim) by
describing
(a) how you made design decisions for your cryptographic technology
(particularly with relationship to your awareness of classical and
modern loopholes and weaknesses you were trying to avoid).
(b) what kind of analysis has been (or could be) done on the/those
technology(ies).
(c) how you would convince anybody that your ideas merit some degree of
trust/faith/use/investment.
Do you expect us to assume that even though the winning AES candidate
will have been subjected to very deep analysis by vary many parties of
very different angles of vested interest/disinterest, because it COULD
be broken tomorrow it is has no more measurable "strength" than a
boutique new idea which has not been widely distributed and tested? The
fact two things are neither black or white does not imply they are the
same shade of grey.
> I see no problem with someone promoting what they think is an advance
> in the field, even if they will benefit. But when reasoning errors
> are promoted which just happen to benefit one's business -- in fact, a
> whole sub-industry -- some skepticism seems appropriate. Just once I
> would like to see delusions promoted which produce *less* business.
You call them "delusions", I call them "reasoned and qualified critiques
open to public dissemination and review" - let's call the whole thing
off. (as the song goes).
Regards,
Geoff
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 17:45:04 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 17 Apr 1999 14:45:48 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>Terry Ritter wrote:
>> OK, I'll bite: What do you have in mind?
>
>Gee, I was hoping you'd go off and develop such a method.
>We certainly need something better than "I tried random
>attacks and didn't find one that succeeded."
Gee, I was hoping you could show us how you successfully attacked the
OTP cryptosystem.
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (Helger Lipmaa)
Subject: Re: AES Competition
Date: 17 Apr 1999 19:13:21 GMT
Steven Alexander ([EMAIL PROTECTED]) wrote:
: leaving:
: RC6
: Serpent
: CAST-256
: SAFER+
: E2
As I didn't find this information on the AES webpage, I decided to put it up
myself. Namely, there was an _informal_ questionnaire filled at the end of
the AES2 conference, where everyone visiting the conference could suggest if
the corresponding cipher should make it to the second round (+1), should not
make (-1) or if it was an open question. There were 104 answers, and the
results were as follows:
Cipher Total + - =
==============================================
Rijndael +76 +77 - 1 =19
RC6 +73 +79 - 6 =15
Twofish +61 +64 - 3 =28
Mars +52 +58 - 6 =35
Serpent +45 +52 - 7 =39
E2 +14 +27 -13 =53
followed by CAST-256 (-2), SAFER+ (-4), DFC (-5), Crypton (-15), DEAL (-70),
HPC (-77), Magenta (-83), Frog (-85), Loki97 (-85).
Among the participants were most of the world renowned cryptographers in the
area.
(the results are archived at http://home.cyber.ee/helger/aes)
Helger
http://home.cyber.ee/helger
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
